Data breach costs continue to rise in 2009, Ponemon study finds

By Robert Westervelt, News Editor 25 Jan 2010 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In 2009, the cost of a data breach increased for the fifth straight year to $204 per compromised record, but a number of factors, including an increase in the use of data breach consulting services and the experience gained from handling previous breaches, are slowing expense increases, according to an annual study conducted by the Ponemon Institute LLC.

The Traverse City, Mich. -based research firm interviewed 45 companies, many of which had had multiple data breaches, and determined that the average annual data breach costs rose from 6.65 million in 2008 to $6.75 million in 2009. The "Fifth Annual U.S. Cost of Data Breach Study," funded in part by encryption vendor PGP Corp., determined the annual cost of a data breach by establishing a company's cost of lost business as a result of an incident, expenses incurred by notifying individuals and authorities of a breach, costs assoc...

Tags: Identity Theft and Data Security Breaches,  Disaster Recovery and Business Continuity Planning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Verizon data breach report 2010: Insider breaches on the rise Black Hat: Targeted network security attacks beating forensics efforts Information Security magazine - July-August issue PDF Mass. hospital deals with lost backup data files Tokenization vs encryption: RSA touts tokens to reduce PCI DSS pain Create a data breach response plan in 10 easy steps Apache.org suffers attack, warns of password breach Stolen portable media device blamed in breach of 3.3 million TJX hacker gets 20 years in prison in Heartland case Twenty-year prison sentence in TJX hacking case Disaster Recovery and Business Continuity Planning For Google, DNS log analysis essential in Aurora attack investigation Feds must take action on Cyber Storm exercise lessons, expert says Updated Cybersecurity Act reshapes federal compliance, education How to update a disaster recovery, contingency planning strategy Disaster recovery plans and DLP solutions top 2010 priorities Security risk factors: Business partner security and pandemic planning Time is now for pandemic flu planning 9 Ways to Improve Application Security After an Incident Melissa Hathaway: Government Must Keep Pace with Cybersecurity Threats Disaster recovery and business continuity planning basics Disaster Recovery and Business Continuity Planning Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) data breach  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

iated with legal fees and consulting firms, and new investments made in technology and employee education.

The most expensive data breach reported by one of the 45 firms in the study involved more than 100,000 customer records and cost $31 million to resolve.

"There's no real way to avoid a data breach; it's going to happen," said Larry Ponemon, chairman and founder of the institute. "The good news is that companies get better in handling a breach with experience and that results in lower costs."

About 82% of the firms interviewed in the Ponemon study reported more than one data breach. The experience gained through a previous breach helped firms better manage the fall out associated with a breach. The per victim cost for a first time data breach is $228 versus $198 for companies experiencing two or more incidents.

"Companies that have experienced a breach in the past take their time; they don't make abrupt decisions and they sometimes hire a consultant to help manage the response," Ponemon said.

Firms that notify potential victims quickly experience higher average data breach costs than those that move slower and determine exactly how many customers were affected.

Meanwhile, the study found that many of the breaches were associated with lost laptops and USB drives (40%), system errors and account statement mix-ups (36%) also contributed to company data breaches. Malicious attacks accounted for about 24% of the breaches, Ponemon said. But perhaps the biggest problem that contributes to data breaches is mistakes made by third-party vendors and company partners such as contractors and consultants, Ponemon said. Those errors were associated with breaches in 42% of the firms surveyed.

More money is being spent on legal defenses than ever before, Ponemon said. Despite many class-action lawsuits being thrown out of court, companies are hiring legal teams to fight the claims.

"All it takes is one court challenge to succeed to cause problems," Ponemon said.

The study found financial services, communications and healthcare firms experience the highest level of customer loss as a result of a breach. Ponemon said the industries rely on trust to maintain business and a breach contributes to an erosion of that trust. Retailers, energy and media companies with less direct consumer contact seem to experience a lower overall customer loss resulting in lower data breach costs. For example, the TJX Companies Inc., which experienced a massive breach at its T.J. Max and other retail locations in 2007, bounced right back in less than a year, posting consecutive profitable quarters through the global economic recession. The company held a customer appreciation day and relied on discounts to lure customers back.

"If handled properly companies will survive a breach," Ponemon said. "There's no excuse for not taking a defense-in-depth approach toward security and maintaining a secure environment; just because you will survive doesn't mean you'll want to go through the pain or put your customers through the aggravation of having a breach."